The medical history of more than 10,000 patients have been discovered in a basement in Aurora, Illinois.
The documentation was located at the house, rented from Naperville-based psychiatrist Dr. Riaz Baber, M.D., by the woman who rented it. The files had been stored in the basement for at least 4 years.
The female tenant, Barbara Jarvis-Neavins, claims that she was given access to the basement by the psychiatrist’s wife when workmen had carry out some work at the house. She says she was advised that she must be in the presence of the workers when they were in the basement.
Ms. Jarvis-Neavins said she felt that she should report the fact that the files were stored in the basement ,which she could access, to the relevant authorities. However she feared that by doing so would lead to her being asked to move out of the house.
Later the house was being sold she contacted law enforcement – including the FBI – and state regulators to report the unsecured files, after she had been advised that she would have to vacate the house. The FBI advised her to contact the Department of Health and Human Services’ Office for Civil Rights and submit a complaint. She did this and also contacted news station NBC 5.
Following a journalistic investigation, NBC 5 reporters broadcast the story in March, 2017. Ms Jarvis-Neavins told reporters boxes of files were kept in the basement and that the files in question “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”
The investigation reporters went to the property and attempted to contact Dr. Baber. His attorney responded and released a statement on his behalf confirming the tenant should not have been able access to the basement, that a key was never given to her and that the records were secured and the doors to the basement were locked securely. It is believed that the files were removed from the basement the day after NBC 5 contacted Dr. Baber.
On September 28, 2017, the Office for Civil Rights (OCR) was informed of the privacy violation of 10,500 records of Dr. Riaz Baber. It is not known why it took six months for the data breach to be officially reported as HIPAA Rules dictate that a breach report should be submitted within 60 days of it being identified.
HIPAA covered bodies and their business associates that opt to keep physical records such as physicians’ notes, charts, x-ray films or documents off site must put in place administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of patients’ protected health information (PHI). Access to the facility where the data is stored should be restricted to prevent unauthorized people from accessing PHI.